blob: aa12a0c1990b26a0a264ef41d639dca3132dea07 [file] [log] [blame]
Jooyung Han12a0b702021-08-05 23:20:31 +09001/*
2 * Copyright (C) 2021 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17//! Verifies APK Signature Scheme V3
Alice Wangaf1d15b2022-09-09 11:09:51 +000018//!
19//! [v3 verification]: https://source.android.com/security/apksigning/v3#verification
Jooyung Han12a0b702021-08-05 23:20:31 +090020
Alice Wangbc4b9a92022-09-16 13:13:18 +000021use anyhow::{ensure, Context, Result};
Jooyung Han12a0b702021-08-05 23:20:31 +090022use bytes::Bytes;
Andrew Scullc208eb42022-05-22 16:17:52 +000023use openssl::pkey::{self, PKey};
Alice Wang79713d92022-07-14 15:10:03 +000024use openssl::x509::X509;
Jooyung Han12a0b702021-08-05 23:20:31 +090025use std::fs::File;
Jooyung Hand8397852021-08-10 16:29:36 +090026use std::io::{Read, Seek};
Jooyung Han12a0b702021-08-05 23:20:31 +090027use std::ops::Range;
28use std::path::Path;
29
Alice Wang5d0f89a2022-09-15 15:06:10 +000030use crate::algorithms::SignatureAlgorithmID;
Jooyung Han12a0b702021-08-05 23:20:31 +090031use crate::bytes_ext::{BytesExt, LengthPrefixed, ReadFromBytes};
Jooyung Han5b4c70e2021-08-09 16:36:13 +090032use crate::sigutil::*;
Jooyung Han12a0b702021-08-05 23:20:31 +090033
34pub const APK_SIGNATURE_SCHEME_V3_BLOCK_ID: u32 = 0xf05368c0;
35
Alice Wang92889352022-09-16 10:42:52 +000036// TODO(b/190343842): get "ro.build.version.sdk"
Jooyung Han12a0b702021-08-05 23:20:31 +090037const SDK_INT: u32 = 31;
38
Jooyung Han12a0b702021-08-05 23:20:31 +090039type Signers = LengthPrefixed<Vec<LengthPrefixed<Signer>>>;
40
41struct Signer {
42 signed_data: LengthPrefixed<Bytes>, // not verified yet
43 min_sdk: u32,
44 max_sdk: u32,
45 signatures: LengthPrefixed<Vec<LengthPrefixed<Signature>>>,
Alice Wanga7cac422022-09-20 13:57:32 +000046 public_key: PKey<pkey::Public>,
Jooyung Han12a0b702021-08-05 23:20:31 +090047}
48
49impl Signer {
50 fn sdk_range(&self) -> Range<u32> {
51 self.min_sdk..self.max_sdk
52 }
53}
54
55struct SignedData {
56 digests: LengthPrefixed<Vec<LengthPrefixed<Digest>>>,
57 certificates: LengthPrefixed<Vec<LengthPrefixed<X509Certificate>>>,
58 min_sdk: u32,
59 max_sdk: u32,
Alice Wang4b7c0ba2022-09-07 15:12:36 +000060 #[allow(dead_code)]
Jooyung Han12a0b702021-08-05 23:20:31 +090061 additional_attributes: LengthPrefixed<Vec<LengthPrefixed<AdditionalAttributes>>>,
62}
63
64impl SignedData {
65 fn sdk_range(&self) -> Range<u32> {
66 self.min_sdk..self.max_sdk
67 }
Alice Wangcd0fa452022-09-21 09:48:33 +000068
69 fn find_digest_by_algorithm(&self, algorithm_id: SignatureAlgorithmID) -> Result<&Digest> {
70 Ok(self
71 .digests
72 .iter()
73 .find(|&dig| dig.signature_algorithm_id == Some(algorithm_id))
74 .context(format!("Digest not found for algorithm: {:?}", algorithm_id))?)
75 }
Jooyung Han12a0b702021-08-05 23:20:31 +090076}
77
Jooyung Han5b4c70e2021-08-09 16:36:13 +090078#[derive(Debug)]
Jooyung Han12a0b702021-08-05 23:20:31 +090079struct Signature {
Alice Wangd73d0ff2022-09-20 11:33:30 +000080 /// Option is used here to allow us to ignore unsupported algorithm.
81 signature_algorithm_id: Option<SignatureAlgorithmID>,
Jooyung Han12a0b702021-08-05 23:20:31 +090082 signature: LengthPrefixed<Bytes>,
83}
84
85struct Digest {
Alice Wangd73d0ff2022-09-20 11:33:30 +000086 signature_algorithm_id: Option<SignatureAlgorithmID>,
Jooyung Han12a0b702021-08-05 23:20:31 +090087 digest: LengthPrefixed<Bytes>,
88}
89
90type X509Certificate = Bytes;
91type AdditionalAttributes = Bytes;
92
Jiyong Parka41535b2021-09-10 19:31:48 +090093/// Verifies APK Signature Scheme v3 signatures of the provided APK and returns the public key
Andrew Scullf3fd4c62022-05-22 14:41:21 +000094/// associated with the signer in DER format.
Alice Wang3c016622022-09-19 09:08:27 +000095pub fn verify<P: AsRef<Path>>(apk_path: P) -> Result<Box<[u8]>> {
96 let apk = File::open(apk_path.as_ref())?;
97 let mut sections = ApkSections::new(apk)?;
Jiyong Parka41535b2021-09-10 19:31:48 +090098 find_signer_and_then(&mut sections, |(signer, sections)| signer.verify(sections))
Jooyung Han12a0b702021-08-05 23:20:31 +090099}
100
Jiyong Parka41535b2021-09-10 19:31:48 +0900101/// Finds the supported signer and execute a function on it.
102fn find_signer_and_then<R, U, F>(sections: &mut ApkSections<R>, f: F) -> Result<U>
103where
104 R: Read + Seek,
105 F: FnOnce((&Signer, &mut ApkSections<R>)) -> Result<U>,
106{
Jooyung Hand8397852021-08-10 16:29:36 +0900107 let mut block = sections.find_signature(APK_SIGNATURE_SCHEME_V3_BLOCK_ID)?;
Jooyung Han12a0b702021-08-05 23:20:31 +0900108 // parse v3 scheme block
Jooyung Hand8397852021-08-10 16:29:36 +0900109 let signers = block.read::<Signers>()?;
Jooyung Han12a0b702021-08-05 23:20:31 +0900110
111 // find supported by platform
Jiyong Parka41535b2021-09-10 19:31:48 +0900112 let supported = signers.iter().filter(|s| s.sdk_range().contains(&SDK_INT)).collect::<Vec<_>>();
Jooyung Han12a0b702021-08-05 23:20:31 +0900113
114 // there should be exactly one
Alice Wangbc4b9a92022-09-16 13:13:18 +0000115 ensure!(
116 supported.len() == 1,
117 "APK Signature Scheme V3 only supports one signer: {} signers found.",
118 supported.len()
119 );
Jooyung Han12a0b702021-08-05 23:20:31 +0900120
Jiyong Parka41535b2021-09-10 19:31:48 +0900121 // Call the supplied function
122 f((supported[0], sections))
123}
Jooyung Han12a0b702021-08-05 23:20:31 +0900124
Jiyong Parka41535b2021-09-10 19:31:48 +0900125/// Gets the public key (in DER format) that was used to sign the given APK/APEX file
Alice Wang3c016622022-09-19 09:08:27 +0000126pub fn get_public_key_der<P: AsRef<Path>>(apk_path: P) -> Result<Box<[u8]>> {
127 let apk = File::open(apk_path.as_ref())?;
128 let mut sections = ApkSections::new(apk)?;
Jiyong Parka41535b2021-09-10 19:31:48 +0900129 find_signer_and_then(&mut sections, |(signer, _)| {
Alice Wanga7cac422022-09-20 13:57:32 +0000130 Ok(signer.public_key.public_key_to_der()?.into_boxed_slice())
Jiyong Parka41535b2021-09-10 19:31:48 +0900131 })
Jooyung Han12a0b702021-08-05 23:20:31 +0900132}
133
Alice Wanga94ba172022-09-08 15:25:31 +0000134/// Gets the v4 [apk_digest].
135///
136/// [apk_digest]: https://source.android.com/docs/security/apksigning/v4#apk-digest
Alice Wang2ef30742022-09-19 11:59:17 +0000137pub fn pick_v4_apk_digest<R: Read + Seek>(apk: R) -> Result<(SignatureAlgorithmID, Box<[u8]>)> {
Andrew Sculla11b83a2022-06-01 09:23:13 +0000138 let mut sections = ApkSections::new(apk)?;
139 let mut block = sections.find_signature(APK_SIGNATURE_SCHEME_V3_BLOCK_ID)?;
140 let signers = block.read::<Signers>()?;
Alice Wanga94ba172022-09-08 15:25:31 +0000141 ensure!(signers.len() == 1, "should only have one signer");
Andrew Sculla11b83a2022-06-01 09:23:13 +0000142 signers[0].pick_v4_apk_digest()
143}
144
Jooyung Han12a0b702021-08-05 23:20:31 +0900145impl Signer {
Andrew Scull9173eb82022-06-01 09:17:14 +0000146 /// Select the signature that uses the strongest algorithm according to the preferences of the
147 /// v4 signing scheme.
148 fn strongest_signature(&self) -> Result<&Signature> {
149 Ok(self
Jooyung Han12a0b702021-08-05 23:20:31 +0900150 .signatures
151 .iter()
Alice Wangd73d0ff2022-09-20 11:33:30 +0000152 .filter(|sig| sig.signature_algorithm_id.is_some())
153 .max_by_key(|sig| sig.signature_algorithm_id.unwrap().content_digest_algorithm())
Alice Wangbc4b9a92022-09-16 13:13:18 +0000154 .context("No supported signatures found")?)
Andrew Scull9173eb82022-06-01 09:17:14 +0000155 }
156
Alice Wang2ef30742022-09-19 11:59:17 +0000157 fn pick_v4_apk_digest(&self) -> Result<(SignatureAlgorithmID, Box<[u8]>)> {
Alice Wangcd0fa452022-09-21 09:48:33 +0000158 let strongest_algorithm_id = self
159 .strongest_signature()?
160 .signature_algorithm_id
161 .context("Strongest signature should contain a valid signature algorithm.")?;
Andrew Sculla11b83a2022-06-01 09:23:13 +0000162 let signed_data: SignedData = self.signed_data.slice(..).read()?;
Alice Wangcd0fa452022-09-21 09:48:33 +0000163 let digest = signed_data.find_digest_by_algorithm(strongest_algorithm_id)?;
164 Ok((strongest_algorithm_id, digest.digest.as_ref().to_vec().into_boxed_slice()))
Andrew Sculla11b83a2022-06-01 09:23:13 +0000165 }
166
Alice Wanga7cac422022-09-20 13:57:32 +0000167 /// Verifies the strongest signature from signatures against signed data using public key.
168 /// Returns the verified signed data.
169 fn verify_signature(&self, strongest: &Signature) -> Result<SignedData> {
170 let mut verifier = strongest
171 .signature_algorithm_id
172 .context("Unsupported algorithm")?
173 .new_verifier(&self.public_key)?;
174 verifier.update(&self.signed_data)?;
175 ensure!(verifier.verify(&strongest.signature)?, "Signature is invalid.");
176 // It is now safe to parse signed data.
177 self.signed_data.slice(..).read()
178 }
179
Alice Wangaf1d15b2022-09-09 11:09:51 +0000180 /// The steps in this method implements APK Signature Scheme v3 verification step 3.
Andrew Scull9173eb82022-06-01 09:17:14 +0000181 fn verify<R: Read + Seek>(&self, sections: &mut ApkSections<R>) -> Result<Box<[u8]>> {
182 // 1. Choose the strongest supported signature algorithm ID from signatures.
183 let strongest = self.strongest_signature()?;
Jooyung Han12a0b702021-08-05 23:20:31 +0900184
185 // 2. Verify the corresponding signature from signatures against signed data using public key.
Alice Wanga7cac422022-09-20 13:57:32 +0000186 let verified_signed_data = self.verify_signature(strongest)?;
Jooyung Han12a0b702021-08-05 23:20:31 +0900187
188 // 3. Verify the min and max SDK versions in the signed data match those specified for the
189 // signer.
Alice Wangbc4b9a92022-09-16 13:13:18 +0000190 ensure!(
Alice Wanga7cac422022-09-20 13:57:32 +0000191 self.sdk_range() == verified_signed_data.sdk_range(),
Alice Wangbc4b9a92022-09-16 13:13:18 +0000192 "SDK versions mismatch between signed and unsigned in v3 signer block."
193 );
Jooyung Hand8397852021-08-10 16:29:36 +0900194
195 // 4. Verify that the ordered list of signature algorithm IDs in digests and signatures is
196 // identical. (This is to prevent signature stripping/addition.)
Alice Wangbc4b9a92022-09-16 13:13:18 +0000197 ensure!(
198 self.signatures
199 .iter()
200 .map(|sig| sig.signature_algorithm_id)
Alice Wanga7cac422022-09-20 13:57:32 +0000201 .eq(verified_signed_data.digests.iter().map(|dig| dig.signature_algorithm_id)),
Alice Wangbc4b9a92022-09-16 13:13:18 +0000202 "Signature algorithms don't match between digests and signatures records"
203 );
Jooyung Hand8397852021-08-10 16:29:36 +0900204
205 // 5. Compute the digest of APK contents using the same digest algorithm as the digest
206 // algorithm used by the signature algorithm.
Alice Wangcd0fa452022-09-21 09:48:33 +0000207 let digest = verified_signed_data.find_digest_by_algorithm(
208 strongest.signature_algorithm_id.context("Unsupported algorithm")?,
209 )?;
210 let computed = sections.compute_digest(digest.signature_algorithm_id.unwrap())?;
Jooyung Hand8397852021-08-10 16:29:36 +0900211
212 // 6. Verify that the computed digest is identical to the corresponding digest from digests.
Alice Wangbc4b9a92022-09-16 13:13:18 +0000213 ensure!(
214 computed == digest.digest.as_ref(),
215 "Digest mismatch: computed={:?} vs expected={:?}",
216 to_hex_string(&computed),
217 to_hex_string(&digest.digest),
218 );
Jooyung Hand8397852021-08-10 16:29:36 +0900219
Alice Wang79713d92022-07-14 15:10:03 +0000220 // 7. Verify that public key of the first certificate of certificates is identical
Jooyung Han543e7122021-08-11 01:48:45 +0900221 // to public key.
Alice Wanga7cac422022-09-20 13:57:32 +0000222 let cert = verified_signed_data.certificates.first().context("No certificates listed")?;
Alice Wang79713d92022-07-14 15:10:03 +0000223 let cert = X509::from_der(cert.as_ref())?;
Alice Wangbc4b9a92022-09-16 13:13:18 +0000224 ensure!(
Alice Wanga7cac422022-09-20 13:57:32 +0000225 cert.public_key()?.public_eq(&self.public_key),
Alice Wangbc4b9a92022-09-16 13:13:18 +0000226 "Public key mismatch between certificate and signature record"
227 );
Jooyung Han543e7122021-08-11 01:48:45 +0900228
Alice Wang92889352022-09-16 10:42:52 +0000229 // TODO(b/245914104)
230 // 8. If the proof-of-rotation attribute exists for the signer verify that the
231 // struct is valid and this signer is the last certificate in the list.
Alice Wanga7cac422022-09-20 13:57:32 +0000232 Ok(self.public_key.public_key_to_der()?.into_boxed_slice())
Jooyung Han12a0b702021-08-05 23:20:31 +0900233 }
234}
235
Jooyung Han12a0b702021-08-05 23:20:31 +0900236// ReadFromBytes implementations
Alice Wang92889352022-09-16 10:42:52 +0000237// TODO(b/190343842): add derive macro: #[derive(ReadFromBytes)]
Jooyung Han12a0b702021-08-05 23:20:31 +0900238
239impl ReadFromBytes for Signer {
240 fn read_from_bytes(buf: &mut Bytes) -> Result<Self> {
241 Ok(Self {
242 signed_data: buf.read()?,
243 min_sdk: buf.read()?,
244 max_sdk: buf.read()?,
245 signatures: buf.read()?,
246 public_key: buf.read()?,
247 })
248 }
249}
250
251impl ReadFromBytes for SignedData {
252 fn read_from_bytes(buf: &mut Bytes) -> Result<Self> {
253 Ok(Self {
254 digests: buf.read()?,
255 certificates: buf.read()?,
256 min_sdk: buf.read()?,
257 max_sdk: buf.read()?,
258 additional_attributes: buf.read()?,
259 })
260 }
261}
262
263impl ReadFromBytes for Signature {
264 fn read_from_bytes(buf: &mut Bytes) -> Result<Self> {
265 Ok(Signature { signature_algorithm_id: buf.read()?, signature: buf.read()? })
266 }
267}
268
269impl ReadFromBytes for Digest {
270 fn read_from_bytes(buf: &mut Bytes) -> Result<Self> {
271 Ok(Self { signature_algorithm_id: buf.read()?, digest: buf.read()? })
272 }
273}
Jooyung Hand8397852021-08-10 16:29:36 +0900274
Alice Wanga7cac422022-09-20 13:57:32 +0000275impl ReadFromBytes for PKey<pkey::Public> {
276 fn read_from_bytes(buf: &mut Bytes) -> Result<Self> {
277 let raw_public_key = buf.read::<LengthPrefixed<Bytes>>()?;
278 Ok(PKey::public_key_from_der(raw_public_key.as_ref())?)
279 }
280}
281
Jooyung Hand8397852021-08-10 16:29:36 +0900282#[inline]
Alice Wang98073222022-09-09 14:08:19 +0000283pub(crate) fn to_hex_string(buf: &[u8]) -> String {
Jooyung Hand8397852021-08-10 16:29:36 +0900284 buf.iter().map(|b| format!("{:02X}", b)).collect()
285}